Rundeck ACL Policy Creation
Rundeck is an awesome tools which we simply impressed recently. It has an inbuilt to run commands, creating jobs, scheduling jobs, etc., Refer our previous posts to know more about rundeck.
In this post, we will try to give some example how can we restrict user access to project level. All the file which has an extension .aclpolicy on the directory /etc/rundeck(default installation location) will be consider as valid file for access restriction by rundeck.
rd-acl is a build in command which helps to create user policy , group policy, rundeck policy. The following are the few example which we can use to restrict project level, user level restriction.
rd-acl test --context project --groups groupname --project projectname --job testjob --allow read,run -v
--- for: job: - allow: - read - run equals: name: 'testjob' description: generated context: project: Alerts by: group: groupname
where,
test – display output in the command prompt. Create a file with name.aclpolicy with the output content.
–context – Access request. Options are rundeck, project
–project – Specify your project name.
–job – Mention your job name
–allow – Mention the privileges for the above category.
As mentioned earlier, you can simply create groupname.aclpolicy with the above mentioned lines. The beauty here is we don’t need to restart any service.
rd-acl test --context application --groups groupname --project projectname --allow read -v
for: project: - allow: read equals: name: groupname description: generated context: application: rundeck by: group: alerts
where,
application – here application refers to rundeck.
The below command will help to add a read, run privilege.
rd-acl test --context project --groups alerts --project <projectname> --resource=node --allow read,run -v
where,
resource – specific resource to the project or whole resources. Options are jobs, system,project, node.
In a very simplified manner, the following ACL is a readonly privilege for the project by specific group.
Create a file groupname.aclpolicy and append the following content.
--- description: "Allow users in runjobs group to run, kill jobs, etc. in the project called YOUR PROJECT" context: project: YOUR PROJECT by: group: groupname for: resource: - equals: kind: job allow: [read, run, kill] - equals: kind: node allow: [read] - equals: kind: event allow: [read] # allow reading activity logs - equals: kind: 'adhoc' allow: [read,run,kill] adhoc: - allow: [read,run,kill] # allow running/killing adhoc jobs job: - allow: [read,run,kill] node: - allow: [read,run] # allow read/run for nodes --- context: application: rundeck description: "Users in the 'runjobs' group can launch jobs in the project called YOUR PROJECT but not edit them" for: project: - match: name: 'YOUR PROJECT' allow: [read] system: - match: name: '.*' allow: [read] by: group: groupname